US20230177202A1 - Privacy aware multi channel data transfer - Google Patents
Privacy aware multi channel data transfer Download PDFInfo
- Publication number
- US20230177202A1 US20230177202A1 US17/545,372 US202117545372A US2023177202A1 US 20230177202 A1 US20230177202 A1 US 20230177202A1 US 202117545372 A US202117545372 A US 202117545372A US 2023177202 A1 US2023177202 A1 US 2023177202A1
- Authority
- US
- United States
- Prior art keywords
- data
- vehicle
- access identifier
- random value
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012546 transfer Methods 0.000 title claims abstract description 24
- 238000004891 communication Methods 0.000 claims description 43
- 238000000034 method Methods 0.000 claims description 38
- 230000008569 process Effects 0.000 description 26
- 238000004422 calculation algorithm Methods 0.000 description 10
- 230000015654 memory Effects 0.000 description 9
- 230000001413 cellular effect Effects 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 3
- 230000005291 magnetic effect Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000002485 combustion reaction Methods 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241000699670 Mus sp. Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/42—Anonymization, e.g. involving pseudonyms
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
Managing data transfer and privacy via a multi-channel transfer of information is provided. A query is received from a client device, the query indicating an access identifier corresponding to an entity for which data is stored. A consented data pool is accessed to identify a random value corresponding to the access identifier. A hash value is computed using a combination of both the access identifier and the random value. An anonymous data pool of stored data is queried to identify results from the stored data tagged with the hash value. The results are returned to the client device responsive to the query.
Description
- Aspects of the disclosure relate to the managing of data transfer and privacy consent levels using multiple channels of communication and privacy constraints.
- Personally-identifiable information (PII) includes many forms of information that could identify a human being. PII may include textual information such as names, addresses, and birth dates. PII may include other information as well, such as photographs of people, house addresses, or vehicle license plates. Data analytics may require the use of large sets of collected data. These data sets may include PII.
- In one or more illustrative examples, a system for managing data transfer and privacy via a multi-channel transfer of information is provided. The system includes one or more data servers, programmed to receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored; access a consented data pool to identify a random value corresponding to the access identifier; compute a hash value using a combination of both the access identifier and the random value; query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and return the results to the client device responsive to the query.
- In one or more illustrative examples, a method for managing data transfer and privacy via a multi-channel transfer of information is provided. A query is received from a client device, the query indicating an access identifier corresponding to an entity for which data is stored. A consented data pool is accessed to identify a random value corresponding to the access identifier. A hash value is computed using a combination of both the access identifier and the random value. An anonymous data pool of stored data is queried to identify results from the stored data tagged with the hash value. The results are returned to the client device responsive to the query.
- In one or more illustrative examples, a non-transitory computer-readable medium comprising for managing data transfer and privacy via a multi-channel transfer of information that, when executed by one or more data servers, cause the one or more data servers to perform operations including to receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored; access a consented data pool to identify a random value corresponding to the access identifier; compute a hash value using a combination of both the access identifier and the random value; query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and return the results to the client device responsive to the query.
-
FIG. 1 illustrates an example system for managing data transfer and privacy via a multi-channel transfer of information; -
FIG. 2 illustrates an example data flow using two communications channels; -
FIG. 3 illustrates an example process for storing vehicle data to the data servers; -
FIG. 4 illustrates an example process for the access of vehicle data from the data servers; -
FIG. 5 illustrates an example process for the vehicle sending vehicle data to the data servers for storage; -
FIG. 6 illustrates an example process for querying the data servers for vehicle data; and -
FIG. 7 illustrates an example of a computing device for managing data transfer and privacy via a multi-channel transfer of information. - As required, detailed embodiments of the present invention are disclosed herein; however, it is to be understood that the disclosed embodiments are merely exemplary of the invention that may be embodied in various and alternative forms. The figures are not necessarily to scale; some features may be exaggerated or minimized to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the present invention.
- Data may be collected from vehicles or other devices. This data may be collected, anonymized, and transferred to a cloud system. It may be desirable that such data is not tied to the vehicles, the other devices, or users of the vehicles or devices without consent. If a user consents to providing data in exchange for access to certain advanced features, then the anonymous data may be linked to the user via consented data. The user may revoke the consent at any time, and if so, the consented data link to the user should be severed. If consent is not given, the user's identity should not be tracked. Even without the data to link the data to specific users, it may be desirable for some access to be provided to the anonymized data.
- A communication channel where anonymous data is sent may be different than channels used for the consented data. The anonymized data may also land in a different server than the consented data. Each server may also have different control mechanisms. Therefore, it is desirable that data residing on the anonymized data server cannot, in itself, be linked to a user via the anonymous data pool. As discussed in detail herein, a multi-channel approach may be used to sending anonymized data and linking the data to a consenting user. This allow for the requirements on the channel transmitting anonymized data to avoid the implementation of stringent rules, as the anonymized data cannot be linked to a user via that channel.
-
FIG. 1 illustrates anexample system 100 for the managing data transfer and privacy via a multi-channel transfer of information. In such a system, a vehicle 102 (or other entity collecting information) may include one or more data sources 104 (such as sensors or other controllers) to capture vehicle data 106 (or other data). Thevehicle 102 may include astorage 108 configured to maintain thevehicle data 106. Thevehicle 102 may also include a telematics control unit (TCU) 110 configured to communicate viacommunications channels 112 over acommunications network 114 with one or more data servers 116. The data servers 116 may maintain data pools 118 as well as access identifiers (IDs) 120 to link thevehicle data 106 to specific users. Aclient device 122 may be used to query the data servers 116 for thevehicle data 106. It should be noted that thesystem 100 is an example, andsystems 100 having more, fewer, or different elements may be used. For instance, while asingle vehicle 102 and asingle client device 122 is shown, it is contemplated thatsystems 100 could includemany vehicles 102 and/ormany client devices 122. As another example, while two data servers 116 are shown, it should be noted that implementations may include just one server, or in other cases many servers for load balancing or other networking purposes. As an even further example, while many examples herein relate tovehicles 102 andvehicle data 106, thevehicles 102 may be other types of entities or devices, and thevehicle data 106 may be other types of data unrelated tovehicles 102. - The
vehicle 102 may include various types of automobile, crossover utility vehicle (CUV), sport utility vehicle (SUV), truck, recreational vehicle (RV), boat, plane or other mobile machine for transporting people or goods. In many cases, thevehicle 102 may be powered by an internal combustion engine. As another possibility, thevehicle 102 may be a battery electric vehicle (BEV) powered by one or more electric motors. As a further possibility, thevehicle 102 may be a hybrid electric vehicle powered by both an internal combustion engine and one or more electric motors, such as a series hybrid electric vehicle, a parallel hybrid electrical vehicle, or a parallel/series hybrid electric vehicle. As the type and configuration ofvehicle 102 may vary, the capabilities of thevehicle 102 may correspondingly vary. As some other possibilities,vehicles 102 may have different capabilities with respect to passenger capacity, towing ability and capacity, and storage volume. Thevehicles 102 may be identified by various identifiers, such as vehicle identification numbers (VINs) or globally unique identifiers (GUIDs), as some non-limiting examples. - The
data sources 104 may include various devices configured to capturevehicle data 106 of thevehicle 102 environment. In an example, thedata sources 104 may include visible light cameras or infrared cameras configured to capture still images and/or video data. In another example, thedata sources 104 may include sensors configured to determine three-dimensional (3D) information, such as radar sensors or lidar sensors. Thevehicle data 106 may be stored to a database, memory, orother storage 108 of thevehicle 102. - In some instances, the
data sources 104 may be configured to capturevehicle data 106 of the surroundings of thevehicle 102. For instance, thedata sources 104 may be configured to generatevehicle data 106 of the roadway, ofother vehicles 102, of pedestrians, or of obstacles. Thisvehicle data 106 may be useful for driver assistance system, for autonomous driving systems, for a security camera device, for dash camera applications, and/or for recording driving data for recreation (e.g., track days). However, the capture ofsuch vehicle data 106 may involve the capture of PII. For instance, license plates of other vehicles may be captured in thevehicle data 106. Faces of pedestrians may be captured in thevehicle data 106 as another example. - Some
data sources 104 may additionally or alternately be configured to capturevehicle data 106vehicle data 106 inside of thevehicle 102, such as of thevehicle 102 cabin. Thisvehicle data 106 may be useful for applications such as driver awareness verification, vehicle occupancy detection, incident analysis, video conference, or to ensure that infants or belongings are not left behind in thevehicle 102. - The
TCU 110 may be configured to provide telematics services to thevehicle 102. These services may include, as some non-limiting possibilities, navigation, turn-by-turn directions, vehicle health reports, local business search, accident reporting, and hands-free calling. TheTCU 110 may accordingly be configured to utilize a transceiver to communicate with acommunications network 114 over one ormore communications channels 112. - The
communications network 114 may provide communications services, such as packet-switched network services (e.g., Internet access, voice over Internet Protocol (VoIP) communication services), to devices connected to thecommunications network 114. An example of acommunications network 114 is a cellular telephone network. For instance, theTCU 110 may access the cellular network via connection to one or more cellular towers. To facilitate the communications over thecommunications network 114, theTCU 110 may be associated with unique device identifiers (e.g., mobile device numbers (MDNs), Internet protocol (IP) addresses, etc.) to identify the communications of theTCU 110 on thecommunications network 114 as being associated with thevehicle 102. - The data servers 116 may be computing devices configured to communicate with the
vehicles 102 over thecommunications network 114. The data servers 116 may be configured to receivevehicle data 106 from thevehicles 102, as well as in some cases to maintainaccess IDs 120 that allow theclient devices 122 to access identity information corresponding to thevehicle data 106. As a specific example, ananonymous data server 116A may maintain an anonymous data pool 118A. The anonymous data pool 118A may storevehicle data 106 that is anonymous, regardless of whether the user has consented to data collection. A consented data server 116B may maintain a consenteddata pool 118B ofaccess IDs 120 for accessing identity information of users corresponding to thevehicle data 106 in the consenteddata pool 118B. - A
first communication channel 112A may be used to communicateanonymous vehicle data 106 with theanonymous data server 116A. Asecond communication channel 112B may be used to communicate consentedvehicle data 106 andaccess IDs 120 with the consented data server 116B. - The
access IDs 120 may be identifiers of the entities from which the data is stored. As one non-limiting example, theaccess IDs 120 may be VINs or GUIDs corresponding to thevehicles 102 providing thevehicle data 106. It should be noted, however, that theaccess IDs 120 are not limited to VINs or GUIDs and may be any other unique identifier of avehicle 102 or other device. - The
access IDs 120 may be configured to allow users to have access to different levels of information included within the consenteddata pool 118B. For instance, afirst access ID 120 may allow theclient device 122 to have access to identity information for a first user but not other users in the consenteddata pool 118B, while asecond access ID 120 may allow the user to have access to identity information for a second user in the consenteddata pool 118B. -
FIG. 2 illustrates anexample data flow 200 using twocommunications channels 112. Thefirst communication channel 112A may be used to sendanonymous vehicle data 106 to theanonymous data server 116A. Thesecond communication channel 112B may be used to send user-identifiable vehicle data 106 to the consented data server 116B. - The
vehicle 102 may generate a random number (referred to herein as R). The random number R may be a number of length significant enough to make guessing impractical but short enough to allow for efficient data storage, such as 32 bits, 64 bits, 128 bits, 256 bits, etc. Thevehicle 102 may generate the value of R responsive to various trigger criteria. For instance, thevehicle 102 may generate a new value for R responsive to thevehicle 102 entering a motive mode where thevehicle 102 is mobile (e.g., ignition on). In other examples, thevehicle 102 may generate a new value for R based on time-specific criteria, such as daily or weekly. - In some examples, the data servers 116 may send information to the
vehicle 102 to aid in random number generation at thevehicle 102. This may be done, for example, to ensure thevehicle 102 has adequate entropy to generate a suitably random value for R. To ensure uniqueness of R, in some examples, the data servers 116 may assign the vehicle 102 a set of random numbers R which the data servers 116 determine to be unique to thevehicle 102. In another example, the data servers 116 may provide a seed to be used in in a pseudorandom number generation algorithm on thevehicle 102 to ensure that R is unique to thevehicle 102. - If a user of the
vehicle 102 has given consent to data collection, then thevehicle 102 may generate the new value of R. If, however, the user of thevehicle 102 has not given consent (or has revoked consent), then thevehicle 102 may utilize a predefined value of R that signifies no consent. As one example, a value of zero may be used for the purpose of signifying a lack of consent. - The
vehicle 102 may be configured to sendvehicle data 106 to the data servers 116. Responsive tovehicle data 106 being available to send to the data servers 116, thevehicle 102 may determine whether consent is provided for the sharing of identifiable information of the user. If consent has been provided, then thevehicle data 106 is tagged with a value that provides information with respect to the origin of the data. In one example, this tagged value may be a hash of the random value R and the access ID 120 (e.g., VIN of thevehicle 102, a GUID corresponding to thevehicle 102, etc.). If consent has not been provided, then thevehicle data 106 is tagged with the predefined value of R that signifies no consent (e.g., zero). The hash algorithm may be any of various typically one-way cryptographic hash functions that receive information and generate a data element of generally predefined size. Example hashing algorithms may include, MD5, SHA-1, SHA-2, NTLM, and LANMAN, as some non-limiting possibilities. - Through the
first communication channel 112A, thevehicle data 106 and the hash of R and theaccess ID 120 may be sent to theanonymous data server 116A. Through thesecond communication channel 112B, the R and theaccess ID 120 may be sent to the consented data server 116B. - The consented data server 116B, responsive to receiving a R that signifies consent and ID, may compute the hash of R and the
access ID 120. This may be the same hash that is executed on thevehicle 102 for tagging of thevehicle data 106 that is sent to theanonymous data server 116A. The consented data server 116B may utilize this hash to query theanonymous data server 116A for matchingvehicle data 106. - Thus, while stored to the
anonymous data server 116A thevehicle data 106 may remain anonymous. However, if R signifies consent and theaccess ID 120 is known, then thevehicle data 106 can be linked to a specific user through use of the services of the consented data server 116B. In some examples, if this is the case thevehicle data 106 may be captured by the consented data server 116B for storage in the consenteddata pool 118B. In other examples, thevehicle data 106 may be pulled from the anonymous data pool 118A as requested byclient devices 122 and may not be maintained to the consented data server 116B. - It should be noted that while two
communications channels 112 are shown in thedata flow 200, in other examplesadditional communications channels 112 may be used. For instance,different communications channel 112 may can their own unique R values. Hence,different communications channels 112 may utilize different hashes for securing different aspects ofvehicle data 106. Yet, these different channels may perform consent differently and may be unable to link data among themselves. - If consent is not given, R signifies that lack of consent (e.g., zero). Thus, even if the
access ID 120 of thevehicle 102 is tied to R signifying the lack of consent, allvehicles 102 using the data servers 116 that are also non-consenting will also use the same R. In doing so, it may be impossible to linkvehicle data 106 to itscorrect vehicle 102 forvehicle 102 where consent is not given. This is because eachvehicle 102 will link to allanonymous vehicle data 106 from allnon-consenting vehicles 102. - If consent is given, then R is unique. An analyst having access to the
anonymous data server 116A may be able to use theclient device 122 to access the anonymous data pool 118A. However, by knowing R alone, the analyst is unable to tie thevehicle data 106 stored in the anonymous data pool 118A with thevehicle 102. Moreover, the value of R tied to thevehicle data 106 may change over time as noted above. Therefore, it is not possible for the analyst to identify whichvehicle 102 ties to thisvehicle data 106. - However, if the analyst also has access to the consented data server 116B, then the analyst may be able to retrieve the link between R and the
Access ID 120. For instance, the analyst may utilize theAccess ID 120 to query for the values of R corresponding to thevehicle 102. By using thisadditional access ID 120 information, the analyst using theclient device 122 may be able to generate or retrieve the hash of R andAccess ID 120 corresponding to thevehicle 102, and use this value to query thevehicle data 106 for data specific to thevehicle 102 whoseaccess ID 120 is being used. - Moreover, the link between
vehicle data 106 and avehicle 102 may be severed if consent is revoked. For instance, deleting user information may be as simple as setting allvehicle data 106 tagged with a hash of R and theaccess ID 120 to the value of R signifying a lack of consent. This operation may be performed efficiently by the data servers 116 where once complete, it would no longer be possible anymore to identify thevehicle data 106 of the user. -
FIG. 3 illustrates anexample process 300 for storingvehicle data 106 to the data servers 116. In an example, theprocess 300 may be performed by theanonymous data server 116A and consented data server 116B in the context of thesystem 100. - At
operation 302, the data servers 116 send R information to thevehicle 102. In an example, the R information may include a set of random numbers R which the data servers 116 determine to be unique to thevehicle 102. In another example, the R information may include a seed to be used in in a pseudorandom number generation algorithm on thevehicle 102 to ensure that R is unique to thevehicle 102. - At
operation 304, the data servers 116 receive taggedvehicle data 106 from thevehicle 102. In an example, if thevehicle 102 consents to identifiability of the user's information the taggedvehicle data 106 may be tagged by thevehicle 102 with a hash of R and theaccess ID 120 of the vehicle. If consent is not given, the taggedvehicle data 106 may be tagged by thevehicle 102 with a hash of the value of R signifying a lack of consent and theaccess ID 120 of the vehicle. Or, if consent is not given, the taggedvehicle data 106 may be tagged by thevehicle 102 with the value of R signifying a lack of consent and noaccess ID 120. Regardless, thisvehicle data 106 may be received over thecommunications network 114 via thefirst communication channel 112A to theanonymous data server 116A. - At
operation 306, the data servers 116 receive the R and theaccess ID 120. In an example, if thevehicle 102 consents to identifiability of the user's information, R and theaccess ID 120 are received over thecommunications network 114 via thesecond communication channel 112B to the consented data server 116B. - At
operation 308, the data servers 116 maintain the received information. For instance, the information atoperation 304 is stored to the anonymous data pool 118A and the information received atoperation 306 is stored to the consenteddata pool 118B. Afteroperation 308, theprocess 300 ends. -
FIG. 4 illustrates anexample process 400 for the access ofvehicle data 106 from the data servers 116. In an example, theprocess 400 may also be performed by theanonymous data server 116A and consented data server 116B in the context of thesystem 100. - At
operation 402, the data servers 116 receive a query including theaccess ID 120 forvehicle data 106. In an example, the data servers 116 may receive the query over thecommunications network 114 from theclient device 122. - At
operation 404, the data servers 116 query for R. In an example, the data servers 116 may query the consenteddata pool 118B for the values of R that correspond to theaccess ID 120. - At
operation 406, the data servers 116 generate a hash of theaccess ID 120 received atoperation 402 and the R queried atoperation 404 received atoperation 402. In an example, the hash may be a one-way cryptographic hash algorithm such as one of the examples mentioned above. - At
operation 408, the data servers 116 queries the data pools 118. In an example, the data servers 116 query the anonymous data pool 118A for thevehicle data 106 tagged with the hash value computed atoperation 406. - At
operation 410, the data servers 116 return the result of the query atoperation 408. In an example, theresultant vehicle data 106 is sent to theclient device 122 that sent the request received atoperation 402. Afteroperation 410, theprocess 400 ends. -
FIG. 5 illustrates anexample process 500 for thevehicle 102 sendingvehicle data 106 to the data servers 116 for storage. In an example, theprocess 500 may be performed by thevehicle 102 in the context of thesystem 100. - At
operation 502, thevehicle 102 receives the R information. In an example, thevehicle 102 may receive the information sent atoperation 302 of theprocess 300. - At
operation 504, thevehicle 102 generates R. In an example, thevehicle 102 may choose R from a set of R values received atoperation 502. In another example, thevehicle 102 may use a seed received atoperation 502 to generate one or more values of R using a pseudorandom number generation algorithm on thevehicle 102. - At
operation 506, thevehicle 102 generate a hash of R and theaccess ID 120 of thevehicle 102. In an example, theaccess ID 120 may be stored to thevehicle 102 and retrieved, e.g., as communicated over a vehicle bus, stored to a memory of theTCU 110, etc. The hash may be generated using the same approach as done inoperation 406 of theprocess 400. - At
operation 508, thevehicle 102tags vehicle data 106 with the hash generated atoperation 506. In one example, thevehicle 102 may apply the hash as metadata to thevehicle data 106. - At
operation 510, thevehicle 102 sends the taggedvehicle 102 to the data servers 116. This data may be sent by theTCU 110 of thevehicle 102 to theanonymous data server 116A via thefirst communication channel 112A over thecommunications network 114 as discussed atoperation 304 of theprocess 300. - At
operation 512, thevehicle 102 sends the consented information to the data servers 116. This information may be sent by theTCU 110 of thevehicle 102 to the consented data server 116B viasecond communication channel 112B over thecommunications network 114 as discussed atoperation 306 of theprocess 300. Afteroperation 512, theprocess 500 ends. -
FIG. 6 illustrates anexample process 600 for querying the data servers 116 forvehicle data 106. In an example, theprocess 600 may be performed by theclient device 122 of thesystem 100. - At
operation 602, theclient device 122 sends a query to the data servers 116. In an example, the query may include an indication of anaccess ID 120 specified by an analyst accessing theclient device 122. The query may be received by the data servers 116 as discussed inoperation 402 of theprocess 400. - At
operation 604, theclient device 122 receives the result of the query. The query may be sent from the data servers 116 and received to theclient device 122 as discussed inoperation 410 of theprocess 400. Afteroperation 604, theprocess 600 ends. -
FIG. 7 illustrates an example 700 of acomputing device 702 for managing data transfer and privacy via a multi-channel transfer of information. Referring toFIG. 7 , and with reference toFIGS. 1-6 , theTCU 110, data servers 116, andclient devices 122 may be examples ofsuch computing devices 702. As shown, thecomputing device 702 includes aprocessor 704 that is operatively connected to astorage 706, anetwork device 708, anoutput device 710, and aninput device 712. It should be noted that this is merely an example, andcomputing devices 702 with more, fewer, or different components may be used. - The
processor 704 may include one or more integrated circuits that implement the functionality of a central processing unit (CPU) and/or graphics processing unit (GPU). In some examples, theprocessors 704 are a system on a chip (SoC) that integrates the functionality of the CPU and GPU. The SoC may optionally include other components such as, for example, thestorage 706 and thenetwork device 708 into a single integrated device. In other examples, the CPU and GPU are connected to each other via a peripheral connection device such as peripheral component interconnect (PCI) express or another suitable peripheral data connection. In one example, the CPU is a commercially available central processing device that implements an instruction set such as one of the x86, ARM, Power, or Microprocessor without Interlocked Pipeline Stage (MIPS) instruction set families. - Regardless of the specifics, during operation the
processor 704 executes stored program instructions that are retrieved from thestorage 706. The stored program instructions, accordingly, include software that controls the operation of theprocessors 704 to perform the operations described herein. Thestorage 706 may include both non-volatile memory and volatile memory devices. The non-volatile memory includes solid-state memories, such as not and (NAND) flash memory, magnetic and optical storage media, or any other suitable data storage device that retains data when the system is deactivated or loses electrical power. The volatile memory includes static and dynamic random-access memory (RAM) that stores program instructions and data during operation of thesystem 100. - The GPU may include hardware and software for display of at least two-dimensional (2D) and optionally 3D graphics to the
output device 710. Theoutput device 710 may include a graphical or visual display device, such as an electronic display screen, projector, printer, or any other suitable device that reproduces a graphical display. As another example, theoutput device 710 may include an audio device, such as a loudspeaker or headphone. As yet a further example, theoutput device 710 may include a tactile device, such as a mechanically raiseable device that may, in an example, be configured to display braille or another physical output that may be touched to provide information to a user. - The
input device 712 may include any of various devices that enable thecomputing device 702 to receive control input from users. Examples of suitable input devices that receive human interface inputs may include keyboards, mice, trackballs, touchscreens, voice input devices, graphics tablets, and the like. - The
network devices 708 may each include any of various devices that enable theTCU 110, data server 116, andclient devices 122 to send and/or receive data from external devices over networks. Examples ofsuitable network devices 708 include an Ethernet interface, a Wi-Fi transceiver, a cellular transceiver, or a BLUETOOTH or BLUETOOTH Low Energy (BLE) transceiver, ultra-wideband (UWB) transceiver, or other network adapter or peripheral interconnection device that receives data from another computer or external data storage device, which can be useful for receiving large sets of data in an efficient manner. - The processes, methods, or algorithms disclosed herein can be deliverable to/implemented by a processing device, controller, or computer, which can include any existing programmable electronic control unit or dedicated electronic control unit. Similarly, the processes, methods, or algorithms can be stored as data and instructions executable by a controller or computer in many forms including, but not limited to, information permanently stored on non-writable storage media such as read-only memory (ROM) devices and information alterably stored on writeable storage media such as floppy disks, magnetic tapes, compact discs (CDs), RAM devices, and other magnetic and optical media. The processes, methods, or algorithms can also be implemented in a software executable object. Alternatively, the processes, methods, or algorithms can be embodied in whole or in part using suitable hardware components, such as Application Specific Integrated Circuits (ASICs), Field-Programmable Gate Arrays (FPGAs), state machines, controllers or other hardware components or devices, or a combination of hardware, software and firmware components.
- While exemplary embodiments are described above, it is not intended that these embodiments describe all possible forms encompassed by the claims. The words used in the specification are words of description rather than limitation, and it is understood that various changes can be made without departing from the spirit and scope of the disclosure. As previously described, the features of various embodiments can be combined to form further embodiments of the invention that may not be explicitly described or illustrated. While various embodiments could have been described as providing advantages or being preferred over other embodiments or prior art implementations with respect to one or more desired characteristics, those of ordinary skill in the art recognize that one or more features or characteristics can be compromised to achieve desired overall system attributes, which depend on the specific application and implementation. These attributes can include, but are not limited to cost, strength, durability, life cycle cost, marketability, appearance, packaging, size, serviceability, weight, manufacturability, ease of assembly, etc. As such, to the extent any embodiments are described as less desirable than other embodiments or prior art implementations with respect to one or more characteristics, these embodiments are not outside the scope of the disclosure and can be desirable for particular applications.
Claims (20)
1. A system for managing data transfer and privacy via a multi-channel transfer of information, comprising:
one or more data servers, programmed to
receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored;
access a consented data pool to identify a random value corresponding to the access identifier;
compute a hash value using a combination of both the access identifier and the random value;
query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and
return the results to the client device responsive to the query.
2. The system of claim 1 , wherein the one or more data servers are further programmed to:
receive, via a first communication channel, anonymous data from the entity, the anonymous data being tagged with the hash value of both the access identifier corresponding to the entity and the random value;
receive, via a second communication channel, the access identifier and the random value;
maintain the anonymous data in the anonymous data pool; and
maintain the access identifier and the random value in the consented data pool.
3. The system of claim 1 , wherein the one or more data servers are further programmed to untag the hash value from the anonymous data pool, such that the anonymous data pool is no longer linked to the access identifier and the random value.
4. The system of claim 1 , wherein the one or more data servers are further programmed to send a set of random values to the entity, wherein the random value is one of the set of random values.
5. The system of claim 1 , wherein the one or more data servers are further programmed to send a set of random values to the entity, wherein the random value is one of the set of random values.
6. The system of claim 1 , wherein the entity is a vehicle.
7. The system of claim 1 , wherein the access identifier is a vehicle identification number (VIN) or a globally unique identifier (GUID).
8. A method for managing data transfer and privacy via a multi-channel transfer of information, comprising:
receiving a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored;
accessing a consented data pool to identify a random value corresponding to the access identifier;
computing a hash value using a combination of both the access identifier and the random value;
querying an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and
returning the results to the client device responsive to the query.
9. The method of claim 8 , further comprising:
receiving, via a first communication channel, anonymous data from the entity, the anonymous data being tagged with the hash value of both the access identifier corresponding to the entity and the random value;
receiving, via a second communication channel, the access identifier and the random value;
maintaining the anonymous data in the anonymous data pool; and
maintaining the access identifier and the random value in the consented data pool.
10. The method of claim 8 , further comprising untagging the hash value from the anonymous data pool, such that the anonymous data pool is no longer linked to the access identifier and the random value.
11. The method of claim 8 , further comprising sending a set of random values to the entity, wherein the random value is one of the set of random values.
12. The method of claim 8 , further comprising sending a set of random values to the entity, wherein the random value is one of the set of random values.
13. The method of claim 8 , wherein the entity is a vehicle.
14. The method of claim 8 , wherein the access identifier is a vehicle identification number (VIN) or a globally unique identifier (GUID).
15. A non-transitory computer-readable medium comprising for managing data transfer and privacy via a multi-channel transfer of information that, when executed by one or more data servers, cause the one or more data servers to perform operations including to:
receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored;
access a consented data pool to identify a random value corresponding to the access identifier;
compute a hash value using a combination of both the access identifier and the random value;
query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and
return the results to the client device responsive to the query.
16. The medium of claim 15 , further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to:
receive, via a first communication channel, anonymous data from the entity, the anonymous data being tagged with the hash value of both the access identifier corresponding to the entity and the random value;
receive, via a second communication channel, the access identifier and the random value;
maintain the anonymous data in the anonymous data pool; and
maintain the access identifier and the random value in the consented data pool.
17. The medium of claim 15 , further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to untag the hash value from the anonymous data pool, such that the anonymous data pool is no longer linked to the access identifier and the random value.
18. The medium of claim 15 , further comprising further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to send a set of random values to the entity, wherein the random value is one of the set of random values.
19. The medium of claim 15 , further comprising further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to send a set of random values to the entity, wherein the random value is one of the set of random values.
20. The medium of claim 15 , wherein the entity is a vehicle and the access identifier is a vehicle identification number (VIN) or a globally unique identifier (GUID).
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/545,372 US20230177202A1 (en) | 2021-12-08 | 2021-12-08 | Privacy aware multi channel data transfer |
CN202211509911.8A CN116318774A (en) | 2021-12-08 | 2022-11-29 | Privacy aware multi-channel data transfer |
DE102022131816.8A DE102022131816A1 (en) | 2021-12-08 | 2022-11-30 | DATA PROTECTION-AWARE MULTI-CHANNEL DATA TRANSMISSION |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/545,372 US20230177202A1 (en) | 2021-12-08 | 2021-12-08 | Privacy aware multi channel data transfer |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230177202A1 true US20230177202A1 (en) | 2023-06-08 |
Family
ID=86498557
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/545,372 Pending US20230177202A1 (en) | 2021-12-08 | 2021-12-08 | Privacy aware multi channel data transfer |
Country Status (3)
Country | Link |
---|---|
US (1) | US20230177202A1 (en) |
CN (1) | CN116318774A (en) |
DE (1) | DE102022131816A1 (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110276804A1 (en) * | 2009-01-16 | 2011-11-10 | Panasonic Corporation | Server authentication method and client terminal |
US20120087494A1 (en) * | 2009-03-20 | 2012-04-12 | Compugroup Holding Ag | Method for providing cryptographical key pairs |
US20200218729A1 (en) * | 2019-01-09 | 2020-07-09 | Hyundai Motor Company | Method for Collecting and Managing Event Data of a Vehicle |
US20200311357A1 (en) * | 2019-03-27 | 2020-10-01 | Oki Data Corporation | Authentication processing system, authentication method and image processing apparatus |
US20210019806A1 (en) * | 2019-07-15 | 2021-01-21 | Amadeus S.A.S. | Search-query redirection |
US20220222233A1 (en) * | 2021-01-13 | 2022-07-14 | Bigid Inc | Clustering of structured and semi-structured data |
-
2021
- 2021-12-08 US US17/545,372 patent/US20230177202A1/en active Pending
-
2022
- 2022-11-29 CN CN202211509911.8A patent/CN116318774A/en active Pending
- 2022-11-30 DE DE102022131816.8A patent/DE102022131816A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110276804A1 (en) * | 2009-01-16 | 2011-11-10 | Panasonic Corporation | Server authentication method and client terminal |
US20120087494A1 (en) * | 2009-03-20 | 2012-04-12 | Compugroup Holding Ag | Method for providing cryptographical key pairs |
US20200218729A1 (en) * | 2019-01-09 | 2020-07-09 | Hyundai Motor Company | Method for Collecting and Managing Event Data of a Vehicle |
US20200311357A1 (en) * | 2019-03-27 | 2020-10-01 | Oki Data Corporation | Authentication processing system, authentication method and image processing apparatus |
US20210019806A1 (en) * | 2019-07-15 | 2021-01-21 | Amadeus S.A.S. | Search-query redirection |
US20220222233A1 (en) * | 2021-01-13 | 2022-07-14 | Bigid Inc | Clustering of structured and semi-structured data |
Non-Patent Citations (3)
Title |
---|
Gusikhin et al., Dynamic Cloud-based Vehicle Apps, IN PROCEEDINGS OF THE 4TH INTERNATIONAL CONFERENCE ON VEHICLE TECHNOLOGY AND INTELLIGENT TRANSPORT SYSTEMS, pp. 626–635 (2019) (Year: 2019) * |
Makke et al., Connected Vehicle Prognostics Framework for Dynamic Systems, PROCEEDINGS OF THE THIRD INTERNATIONAL SCIENTIFIC CONFERENCE "INTELLIGENT INFORMATION TECHNOLOGIES FOR INDUSTRY," pp. 3–15 (2019) (Year: 2019) * |
Yang et al., The Effectiveness of Cloud-based Smart In-vehicle Air Quality Management, IEEE, pp. 325–329 (2016) (Year: 2016) * |
Also Published As
Publication number | Publication date |
---|---|
DE102022131816A1 (en) | 2023-06-15 |
CN116318774A (en) | 2023-06-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3445019B1 (en) | Vehicle-based communication method and system | |
JP2010520540A5 (en) | ||
US9854015B2 (en) | Incident data collection for public protection agencies | |
US20140244312A1 (en) | Systems and methods for providing insurance information exchange | |
TW201227542A (en) | System and method for integrating car videos | |
EP2940601A1 (en) | Device information providing system, and device information providing method | |
US11750383B2 (en) | Multi-level access control in sharing of vehicle data with devices | |
US20230177202A1 (en) | Privacy aware multi channel data transfer | |
JP2024009115A (en) | Information provision system | |
US11265713B2 (en) | Validating vehicles traveling within specific regions | |
US20230276482A1 (en) | Resource selection for 5g nr v2x communications | |
US11626977B2 (en) | Out-of-band key splitting and key derivation | |
US20220355701A1 (en) | Transport battery health | |
US10904720B2 (en) | Deriving signal location information and removing private information from it | |
US20200242933A1 (en) | Parking management and communication of parking information | |
WO2021237527A1 (en) | Information processing method and apparatus, and device and computer storage medium | |
US20220318425A1 (en) | Occupant feature recognition to ensure privacy consent | |
US11972015B2 (en) | Personally identifiable information removal based on private area logic | |
US20220382903A1 (en) | Personally identifiable information removal based on private area logic | |
US20240143804A1 (en) | Communicating privacy rights pertaining to data captured by a vehicle | |
US11411766B2 (en) | Secure controller area network (CAN) transceiver | |
US20230382393A1 (en) | Property loss prevention | |
CN115329362A (en) | Embedded metadata for implementing data privacy compliance | |
US11935093B1 (en) | Dynamic vehicle tags | |
TW201409263A (en) | Method and apparatus of searching and sharing driving record video, computer terminal and computer readable medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FORD GLOBAL TECHNOLOGIES, LLC, MICHIGAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MAKKE, OMAR;GUSIKHIN, OLEG Y.;TONSHAL, BASAVARAJ;AND OTHERS;SIGNING DATES FROM 20211123 TO 20211129;REEL/FRAME:058339/0538 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |